Mohammad Atwi

Published On: 11 May 2019

Leaking the list of followers for any Facebook page.

Privacy/Authentication
Facebook | Web
---
UNDEFINED VALID
Description

An attacker is able to view the list of followers for any Facebook page by browsing the list through mobile version (m.facebook.com) , (mbasic.facebook.com ) .

Impact

Leaking the list of followers for any Facebook page.




Reproduction Steps

Step
1

Create any Facebook page and browse it using the mobile version m.facebook.com

Step
2

Enter to the Setting section of your page and then choose the people and others page 

Show Image

Step
3

(see the attached image) As you notice that the Followers Tab is not displayed into mobile version. the tab appeared are  banned people page that like this page people who liked this page  

Show Image

Step
4

 trying to open each tab and notice the following url (banned users) : 

https://m.facebook.com/browse/blocked_users/?id=your_page_id

people who liked this page: https://m.facebook.com/browse/fans/?id=your_page_id

So I tried to change my page id to a victim page id ( page I don't have role in it ) and unfortunately a message appears " you don't have permission to view this list

Step
5

But wait! what about " Followers " tab?   

it's not appeared on the UI as we mentioned in the step 3

but if you notice from the step 4  that it's easy to guess the directory name of followers tab!

m.facebook.com/browse/fans/?id=your_page_id

m.facebook.com/browse/blocked_users/?id=your_page_id

the first  word come to my mind to guess the followers list directory is "followers" 

https://m.facebook.com/browse/followers/?id=Victim_id

I changed it, then changed the parameter id to any Facebook page id, and finally successfully fetching the followers!

Timeline
.
Mohammad 05 Sep 2017

Initial Report

.
Facebook 11 Sep 2017

Report Triaged Thank you for reporting this information to us. We are sending it to the appropriate product team for further investigation. We will keep you upd ... See More

.
Facebook 20 Oct 2017

Bug Fixed We have looked into this issue and believe that the vulnerability has been patched. Please follow up with us if you believe that the patch does n ... See More

.
Mohammad 21 Oct 2017

Confirmation

.
Facebook 01 Nov 2017

Thanks for the confirmation!

VALID